Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router.

Product codding

Product/Model Number: AIR-SAP1602E-E-K9
IOS C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)

                Regulatory Domain
               /
AIR-SAP 1602E-E-K9
     \       \_External antenna
      \_C_ stands for: Control and Provisioning of Wireless Access Points Protocol CAPWAP require WLC (Wireless Lan Controller)
       \_S_ stands for: Standalone AP

Router show inventory

#show inventory
NAME: "CISCO1941/K9", DESCR: "CISCO1941/K9 chassis, Hw Serial#: ***********, Hw Revision: 1.0"
PID: CISCO1941/K9      , VID: V05 , SN: ***********
NAME: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS on Slot 0 SubSlot 0", DESCR: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand  EDGE/GPRS and GPS"
PID: EHWIC-3G-HSPA+7   , VID: V01 , SN: ***********
NAME: "Modem 0 on Cellular0/0/0", DESCR: "Sierra Wireless MC8705"
PID: MC8705            , VID: 1.0, SN: ***********
NAME: "4 Port GE POE EHWIC Switch on Slot 0 SubSlot 1", DESCR: "4 Port GE POE EHWIC Switch"
PID: EHWIC-4ESG-P      , VID: V01 , SN: ***********
NAME: "C1941 AC-POE Power Supply", DESCR: "C1941 AC-POE Power Supply"
PID: PWR-1941-POE      , VID:    , SN:

Access point show inventory

NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point"
PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11

Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W.

#sh power inline
PowerSupply   SlotNum.   Maximum   Allocated       Status
-----------   --------   -------   ---------       ------
INT-PS           0        80.000    46.200         PS GOOD
Interface   Config   Device   Powered    PowerAllocated   State
---------   ------   ------   -------    --------------   -----
Gi0/1/0     auto     Unknown  Off        0.000 Watts      NOT_PHONE
Gi0/1/1     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/2     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/3     auto     IEEE-3   On        15.400 Watts      PHONE

Default account credentials on the access point

Username: Cisco
Password: Cisco
Enabled mode: Cisco

Basic AP config with WPA2-PSK auth

• remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for interface Dot11Radio0
• remember change 'password' and AP 'hostname' when deploying config
• not sure why but when applying config BVI1 interface does not take any changes
• remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:

conf t
ip domain name lma.gateway
!label for hostname:ap1 & ipdomainname:lma.gateway will be ap1.lma.gateway
crypto key generate rsa label hostname.ipdomainname general-keys modulus 1024
^Z

! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
!
logging rate-limit console 9
enable secret secretpassword
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name lma.gateway
!
!
!
dot11 syslog
dot11 vlan-name Management vlan 99
dot11 vlan-name Wireless vlan 10
dot11 vlan-name Wireless-guest vlan 20
!
dot11 ssid DS_Guest
   vlan 20
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 guestpassword
!
dot11 ssid DS_MGM
   vlan 99
   authentication open
   authentication key-management wpa version 2
   ! mbssid guest-mode commented out to prevent broadcasting BSSID
   wpa-psk ascii 0 managementpassword
!
dot11 ssid DS_WPA2
   vlan 10
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 wirelesspassword
!
!
crypto pki token default removal timeout 0
!
!
username ****tech privilege 1 secret 0 techpassword
username **neteng privilege 15 secret 0 netengpassword
!
ip ssh time-out 180
ip ssh authentication-retries 5
ip ssh version 2
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 encryption vlan 99 mode ciphers aes-ccm
 !
 ssid DS_Guest
 !
 ssid DS_MGM
 !
 ssid DS_WPA2
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
 no shutdown
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no shutdown
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 spanning-disabled
 no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 spanning-disabled
 no bridge-group 20 source-learning
!
interface GigabitEthernet0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
 no shutdown
!
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input ssh
sntp server 10.0.99.100
!
end

Configure WPA2 from WEB

Security > Encription Manager

1. Set Encryption Mode and Keys for VLAN: from drop down menu
2. Tick Cipher and from drop down menu AES CCMP

Security > SSID Manager

1. Select <NEW>
2. Type SSID_name into SSID box
3. Select VLAN
4. Tick Interface Radio0 (2.4 GHz)
5. Key Management: Mandatory
6. Tick: Enable WPA and select WPAv2 from drop down menu
7. Enter your WPA Pre-shared Key into a box
8. Enable SSID broadcast in beacons (requires enabling per SSID)
   1. Go to section: Multiple BSSID Beacon Settings
   2. Check: Set SSID as Guest Mode
9. Press Apply
10. Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
    1. Go to section: Guest Mode/Infrastructure SSID Settings
    2. Check: Multiple BSSID
    3. Press Apply

Error message when ticking CCKM

ERROR:
VLAN 99 cannot support CCKM.
Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption  Manager).

Error message when enabling WPA

ERROR:
VLAN 99 cannot support WPA optional.
Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit' 
or 'AES CCMP + TKIP + WEP 40  bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.
(See Security>  Encryption Manager)

To set the correct 'Key Management', follow the steps below:
STEP 1:Set the 'Key Management' to 'None'.
STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager)
STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.

Basic router config

Applying config

1. Shape config to your needs following color coding and place into TFTP root folder
2. Connect Interface Gi0/0 to a laptop running TFTP server
3. Optional, issue from Windows route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13 to maintain access to internet.
4. At router, issue copy tftp: startup and follow the wizard
5. Reload the router issuing reload but do not save changes of configuration

Router config

!
! Last configuration change at 00:50:58 UTC Wed Oct 23 2013 by tech
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000
logging console warnings
enable secret secretpassword
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.11.240 10.0.11.254
ip dhcp excluded-address 10.0.20.1 10.0.20.10
ip dhcp excluded-address 10.0.21.240 10.0.21.254
ip dhcp excluded-address 10.0.99.100
ip dhcp excluded-address 10.0.99.1 10.0.99.10
!
ip dhcp pool WIRELESS
 import all
 network 10.0.10.0 255.255.254.0
 default-router 10.0.10.1 
 dns-server 10.0.10.1 8.8.8.8 
 domain-name lan.gateway
 lease 0 2
!
ip dhcp pool WIRELESS-GUEST
 network 10.0.20.0 255.255.254.0
 default-router 10.0.20.1 
 dns-server 10.0.20.1 8.8.8.8 
 domain-name lan-guest.gateway
 lease 0 2
!
ip dhcp pool MANAGEMENT
 network 10.0.99.0 255.255.255.128
 default-router 10.0.99.100 
 dns-server 10.0.99.100 8.8.8.8 
 domain-name lan.management
 lease 0 2
!
ip dhcp pool AP1
 host 10.0.99.1 255.255.255.128
 client-identifier 017c.69f6.e1d8.7d
!
ip dhcp pool AP2
 host 10.0.99.2 255.255.255.128
 client-identifier 017c.69f6.e1d9.18
!
ip dhcp pool AP3
 host 10.0.99.3 255.255.255.128
 client-identifier 017c.69f6.e1d9.78
!
ip dhcp pool LAN
 network 10.0.30.0 255.255.254.0
 default-router 10.0.30.1 
 dns-server 194.72.0.114 194.72.0.114 
 domain-name lan.gateway
 lease 0 2
!
ip domain name lma.geteway
no ipv6 cef
multilink bundle-name authenticated
!
chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
!
!
license udi pid CISCO1941/K9 sn routerserialnumber
!
license accept end user agreement
license boot module c1900 technology-package securityk9 disable
license boot module c1900 technology-package datak9 disable
!
!
username ****tech privilege 0 secret 0 techpassword
username **neteng  privilege 15 secret 0 netengpassword
!
!
controller Cellular 0/0
controller VDSL 0/0/0
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.30.1 255.255.254.0
 ip nat enable
 duplex auto
 speed auto
 no shutdown
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 ntp disable
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface GigabitEthernet0/1/0
 description Trunk Port to Cisco AP AIR-SAP1602
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/1/1
 description Trunk Port to Cisco AP AIR-SAP1602
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/1/2
 description Trunk Port to Cisco AP AIR-SAP1602
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/1/3
 description Management VLAN99 access port
 switchport access vlan 99
 no ip address
!
 interface Cellular0/0/0
 description WAN link to Vodafone-APN
 ip address negotiated
 ip nat enable
 encapsulation slip
 dialer in-band
 dialer string hspa
 dialer-group 1
 async mode interactive
!
interface Cellular0/0/1
 no ip address
 encapsulation slip
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.0.10.1 255.255.254.0
 ip nat enable
!
interface Vlan20
 ip address 10.0.20.1 255.255.254.0
 ip nat enable
!
interface Vlan99
 description Eherswitch Management Interface
 ip address 10.0.99.100 255.255.255.128
 ip virtual-reassembly in
!
interface Dialer0
 description BT ADSL 5Mdown/1Mup acc: WM****** no:0********
 ip address ip.add.re.ss m.a.s.k
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ntp disable
 ppp authentication chap callin
 ppp chap hostname D******@hg52.btclick.com
 ppp chap password 0 ******
 ppp pap sent-username D******@hg52.btclick.com password 0 ******
 ppp ipcp dns request
 no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
!
ip nat source list 1 interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
!
access-list 1 permit any
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
!
snmp-server community contingency RO site
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
banner motd ^C
This system is for COMPANY authorized use only. It is
monitored to detect improper use and other illicit activity.
There is no expectation of privacy while using this system.

^C
!
line con 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 exec-timeout 0 0
 script dialer hspa
 script activation hspa
 modem InOut
 no exec
 rxspeed 21600000
 txspeed 5760000
line 0/0/1
 no exec
line vty 0 4
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp master
!
end

Key

• Blue - variables: passwords, host names, serial numbers
• Green - Cellular/3G card configuration
• Purple - ATM/ADSL card configuration

Applying VLANs

conf t
vlan 10
name WIRELESS
vlan 20
name GUEST-WIRELESS
vlan 99
name MANAGEMENT&NATIVE
^Z

Verify

R1#sh vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1/1, Gi0/1/2
10   WIRELESS                         active
20   GUEST-WIRELESS                   active
99   MANAGEMENT&NATIVE                active    Gi0/1/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

References

• Cisco Aironet 1600 Series Access Points Getting Started Guide, December, 2012 Revised: April 16, 2013
• Cisco Aironet 1600 Series Access Point Data Sheet
• Wireless LAN Controller and Lightweight Access Point Basic Configuration Example
• Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA
• VLANs on Aironet Access Points Configuration Example
• Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.2(2)JB Default behavior changes on AP pior IOS15